Risk Insider: Terri Nichols

Cyber Checklist for Risk Managers

By: | January 25, 2016

Terri Morris-Nichols is system director of risk management at PeaceHealth, a not-for-profit health care system with 10 hospitals and medical facilities in Alaska, Washington and Oregon. She is a registered nurse with a master's degree in health administration. She can be reached at [email protected].

This article was written in conjunction with Christine Novotny, ARM, Manager, Risk and Insurance, PeaceHealth.

If the value of personal information makes us vulnerable, the value of health care information exponentially expands the bullseye. According to Reuters, medical records are worth up to 10 times more than credit card numbers on the black market.

As a health care organization, it is our responsibility to protect the integrity of our patient’s records, and we take this responsibility very seriously.

To help us break this threat apart into manageable steps we have created a checklist for the risk manager.

All too often the effort has been focused on preventing and managing massive cyber-attacks. However, it is critically important that we be mindful of the exposure the individual employee represents in our cyber security.

This could be the employee who inadvertently faxes data to the wrong person, leaves their computer unattended and at risk, or the employee who intentionally sets out to hurt the organization as a retaliatory measure.  This is a real exposure that is often overlooked.

It’s important that you act in lock step with network security and organizational teams in order to detect, stop, and address the untoward event appropriately.  Cyber threats can be overwhelming and a contributor to sleepless nights.

To help us break this threat apart into manageable steps we have created a checklist for the risk manager.

Checklist for Risk Managers

    • Work with board and executive leadership to ensure support for cyber initiatives.
    • Provide for strong data breach identification and management policies and procedures creating a zero tolerance culture for data breaches.
    • Ensure that education and training occurs at all levels of the organization at least annually to include basic definitions, policy content and zero tolerance culture.
    • Create a breach response team in partnership with Organizational Integrity, Finance, Legal, Risk, IT security, Human Resources, and Communications to ensure are all working together for immediate detection, response and action when a breach occurs.
  • Negotiate a robust cyber insurance policy that has breach response, liability coverages, as well as coverage for regulatory actions, fines, and penalties.
  • Create data breach preparedness planning opportunities.
  • Leverage insurance carrier for education and loss prevention opportunities.
  • Appreciate the regulatory landscape through education and training.
  • Develop contracts with external partners including forensic firms, law firms, and public relations firms to assist during a large breach event.
  • Train, test, revise, train, test, and revise!

The answer to many cyber threats is having the force of an integrated cyber security and breach response team as your shield.

More from Risk & Insurance